Overcoming Limitations of Analog Output Transmitters In Safety Systems

--- PART I ---

Standards Jungle

Sometimes standards tend to be either too vague or too specific for your own needs. In the case of industrial plant safety, the current standards are focused on the use of common analog technology and do not necessarily provide the guidance for implementing newer digital technologies.

While safety standards are not meant to be prescriptive requirements, they are meant to provide helpful guidelines. Most safety standards refer to other documents as the means of addressing specific safety issues. Case in point is ISA S84 ^[4] . This North American safety standard provides guidance that covers many industries so it may not help with all industrial safety design specifics. What ISA S84 does provide is an overall view of what safety practices should be followed.

ISA S84 refers to other standards such as the emerging international draft of IEC-61508 ^[3] . The IEC standard provides more detailed information for industrial safety. In some European countries, liability may be limited to a fine if a company has an independent agency, such as TUV, certify the plant’s safety to the IEC standard.

Binocular Vision

While all aspects of overall plant safety are included in the IEC standard, far more detail is included on how to quantify and measure the safety of device electronics . It is unfortunate that the current draft version of IEC-61508 suffers from this misleading focus on device electronic failures since reliability analysis has shown that it is electronics that are the most reliable and mechanical components the least reliable.

Safety studies, such as that shown in Figure 1 , point to poor change management and human error as the leading causes of failures. Although IEC-61508 is still in its draft stage, this microscopic focus on device electronics tends to give its readers a binocular vision of safety.

Figure 1 - Leading Causes of Failures

The Old Way Has Its Limitations

Since IEC-61508 is ‘work in progress’, not all available technologies are documented. More specifically, the IEC standard deals primarily with implementing devices that use traditional 4-20ma analog signaling. But, traditional 4-20ma analog signaling has many limitations:

	Limited Signal Range
	Limited Transfer of Information
	Inability to Validate Measurement
	Transmitter Re-Ranging Required
	Unequal Fail-Safe Direction Probability

While the ISA SP50 standard that defines the 4-20ma signal standard has been around for many years, it not address safety. As a result, NAMUR ^[5] issued a standard, NE-43, which does address a means of implementing diagnostic safety bands into the 4-20ma signal range. See the "Diagnostic Fault Range" shown in Figure 2 .

Figure 2 - NAMUR NE-43 Diagnostic Fault Range

As shown in Figure 2 , NE-43 designates a 0.2ma band at each end the 4-20ma range to signal diagnostic problems. In practice, this range is often considered too narrow to be practical given drift and calibration errors. Because of this, NE-43 is not well known and seldom used to annunciate diagnostic information.

No Validation - False Alarms

With no practical means to positively validate a analog 4-20ma signal, most safety interlocks connected to analog output field devices are obligated to take action ANYTIME the 4-20ma signal exceeds a safety threshold.

Figure 3 - Differing Responses to Corrosion Noise

The safety threshold may be exceeded because the process has moved to an unsafe level or because a field device’s diagnostic is indicating a maintenance problem. Sometimes the 4-20ma analog signal picks up stray noise or suffers from a loose or corroded connection. See corrosion example in Figure 3 . Because of the inability to differentiate status, safety interlock systems must respond to all conditions with equal priority.

With a 4-20ma analog output field device trying to indicate a maintenance problem, the responding safety action may itself create an unsafe situation by initiating a shutdown. See Figure 4 - Analog Outputs Cause False Alarms. If caught soon enough, the shutdown can be aborted. But it is the resulting side effects that are of concern to running both a safe and profitable plant. Those effects, at best, are false or nuisance alarm annunciation. At worst, a false plant shutdown. In between, are minor process upsets in which the end product quality is reduced along with its value.

Figure 4 - Analog Outputs Cause False Alarms

False Alarms Reduce Safety

It is not uncommon to have plants with false alarm rates as high as 66%. To see how that can happen lets consider a safety system that uses the 4-20ma analog signal. It can be seen in Figure 4 that since process problems cannot be differentiated from maintenance problems, and given equal probabilities for the three states, the false alarm rate is 2/3 or 66%!

False alarms, themselves, reduce plant safety by increasing the possibly of creating a hazardous situation before the false alarm is cleared. Additionally, safety is reduced by creating a situation requiring personnel to enter a hazardous equipment area to diagnose a potentially dangerous situation.

--- PART II ---

Trying to Make Analog Safer

The IEC safety standard focuses on quantitative ways to improve field instruments by increasing the diagnostic coverage of the electronic circuitry. Since that can only be achieved by adding more electronics and software, the field device’s overall Mean Time To Failure, MTTF ^[1] , actually decreases.

For example, a typical smart pressure transmitter may have a MTTF of 90 years, but one that has added diagnostic coverage may be reduced to only 80 years. In other words, what the IEC safety standard is telling us is that a field instrument with worse reliability but better diagnostics, provides a safer solution. The unfortunate aspect of this is that the transmitter with improved diagnostics has no improved means of communicating that information to the safety interlock, thereby losing most of the benefit gains through its improved diagnostic coverage.

There are a few products on the market attempting to solve the limitations of the analog output. Some communicate using hybrid protocols such as HART as a means of extracting information from the analog output signal. These products can be put into two categories:

	Status Monitors
	Configuration Monitors

A Status Monitor’s primary purpose is to validate a field instrument’s 4-20ma output signal by monitoring only the transmitter’s diagnostic state. HART status monitors are typically able to communicate with the field instrument at a 500msec-2sec rate. However, since the diagnostic status extracted from the HART signal is not synchronized to the process measurement’s 4-20ma analog output signal, safety interlocks are still obligated to act on the 4-20ma analog signal.

A Configuration Monitor’s primary purpose is to detect field instrument configuration changes and therefore is slower to respond than a Status Monitor . In a multiplexed system, delays of 1 minute to 1 hour are typical. However, even though the Configuration Monitor can detect changes, it still does not guarantee that the initial field instrument configuration is correct from the start, nor matches that of the safety system. This fact was most evident in the U.K. HSE Study shown in Figure 1 .

Because both types of monitor products are slow to respond, they are rarely connected to safety interlocks. As a result, safety engineers often add small amounts of damping and/or time delays as a means of reducing the false alarm rate. This "buying of time", often only a 1 second or less, further decreases safety by delaying shutdown action should the situation be hazardous and require a shutdown.

--- PART III ---

Digital Communication Improves Safety

Fortunately, a simple means exists to overcome all the limitations of the 4-20ma analog signal. That is to use digital communications between the field instrument and the safety system. See Figure 5 - Digital Output Safety Transmitter. Digitally communicating field instruments have been available for over a decade. With the variety of industrial digital communication protocols on the rise, the use of digital process alarm trips are fast becoming the logical and safer choice.

  Figure 5 - Digital Output Safety Transmitter

Digital communications can increase overall plant safety in many ways. But, for years, most safety committees lacked the understanding of the advantages of digital communications and actually wrote phrases into the standards that prohibited digital communications in safety systems because, in the committee’s view, the volume of information communicated would not be managed properly and would decrease safety. That position has changed as those same committees have accepted the use of microprocessor-based smart transmitters in safety systems.

The benefits gained through digital communications have been long recognized by the safety engineers of plants with superior safety records. Global corporations, whose safety records are significantly better than the industry’s average, are gradually adopting digital communications in their safety systems. Safety concerns mentioned in the ISA and IEC safety standards as the best way to improve the overall plant’s safety can often only be solved through digital communications. They are typically referred to in the standards as the "Safety Life Cycle". See Figure 6.

Figure 6 - Safety Life Cycle

The "Safety Life Cycle" takes a holistic view of plant safety. But, because the standards are evolving, this area of most standards has yet to be quantified. Since this model allows us to obtain a much broader appreciation of how to improve the safety of the entire plant, let’s look at the safety benefits of using digital communications between the field instrument and the safety interlock system, relative to the "Safety Life Cycle".

Validated Process Measurements

Since the amount of information transferred through digital communications is not limited to just the process measurement value. The ability of having an independent diagnostic status to VALIDATE the process measurement value serves to positively differentiate a process problem, requiring safety action, from a maintenance problem, requiring no safety intervention. See Figure 7 – Digital Outputs Validate Process Alarms .

Figure 7 – Digital Outputs Validate Process Alarms

The presence of a bad status is indication that a repair is required, as shown in the lower portion of Figure 3 . On the other hand, as shown in Figure 7 , a good status when the process measurement value is exceeding a safety threshold is a positive validation that the safety interlock system needs to respond NOW!

Unlike the analog signal, in which you may have chosen to wait a short period to avoid false alarms due to noise, when using a digital signal that wait is unnecessary.

Specific Diagnostics

Digital communications are able to provide specific detailed diagnostic information about the field instrument. See Figure 8 . As stated in the IEC standard, plant safety is increased as the time to repair a maintenance problem is reduced.

Figure 8 - Providing Safety Critical Information

Having specific field instrument diagnostic information available in the control room not only reduces the repair time but also reduces the exposure of personnel to accidents. These prescribed safety enhancements are defined by OSHA ^[6] and the IEC "Safety Life Cycle". See Figure 9 .

Figure 9 – Meeting Safety Life Cycle Requirements

Management of Change

The limited resolution of analog output transmitters means they must often be re-ranged for process changes. This increases the probability that errors will be introduced into the transmitter configuration database allowing a hazardous situation to go undetected. All safety standards recognize that this is one of the leading cause of safety system failures and require "management of change".

Because analog output transmitters require more frequent configuration changes, it becomes more important there be a mechanism to track and document changes. The most often used methods are either manually written or those using off-line communication schemes, such as HART. Neither scheme is well suited for safety since the manual entry method is prone to mistakes and off-line communication schemes do not guarantee the safety system configuration matches that of the transmitter.

Unlike the fixed resolution of analog output transmitters, digital output transmitters use floating point numbers and are able to communicate virtually any measurement with the same resolution. As a result, DIGITAL OUTPUT TRANSMITTERS DO NOT REQUIRE RE-RANGING .

In addition, digitally communicating transmitter range information can be automatically compared with that of the safety system for an exact match.

Digital output transmitter communications is typically monitored real-time for change activity by the control and/or safety system and automatically logged. This tight level of data integration ensures configuration databases always match.

Equal Fail-Safe Direction Probability

Analog output transmitters must rely on driving the 4-20ma output signal to the proper fail-safe direction to indicate diagnostic faults. Driving the analog output within the narrow levels specified in the NAMUR NE-43 standard may be more than a faulty transmitter is capable. Additionally, the transmitter’s analog output circuit may be more prone to failure in the opposite direction of that configured for fail-safe. Digital output transmitters do not suffer from any directional bias since any failure to communicate status allows the safety system to act repeatability.

--- PART IV ---

Making the Connection

Now that we have examined the value that digital communications brings to safety, let’s compare different ways to connect smart transmitters to safety interlock systems. Figure 10 shows various ways to connect smart transmitters to safety interlocks using some of the techniques discussed earlier in a 1oo1 safety application.

Shown are connectivity solutions for traditional analog output transmitters, digital output transmitters, and a hybrid synchronized-status solution. No HART solution is shown because the diagnostic is not guaranteed to be synchronized with the analog signal, as explained in earlier in PART II, and is not recommended for safety critical applications.

Figure 10 - 1oo1 Safety Solutions

While all-digital solutions are best, the hybrid synchronized-status solution, shown as #3 in Figure 10 , offers improved safety over both an all-analog or HART solution.

The hybrid synchronized-status solution requires a digital interface module shown in Figure 11 . This module accepts a transmitter’s digital output signal and splits out the process measurements as analog signal components along with the transmitter diagnostic status. The interface module is, in effect, an extension of the safety system and usually contain comprehensive internal diagnostics based on the draft IEC 61508 standard. Users who can mix digital output transmitters and analog input safety systems are able to retain key benefits of each.

Figure 11 – Digital Safety Interface Module

Comparing Solutions

Figure 12 - Comparing Safety Solutions , shows various connectivity solutions plotted against two key safety IEC 61508 parameters. For completeness, Figure 12 also shows an economy and a safety certified analog output transmitter in addition to the four solutions shown in Figure 10 . The parameters PFD avg, probability of a dangerous failure, and PFS , false alarm rate, both should be small.

As illustrated in Figure 12 , economy analog output transmitters provide the worst safety performance. While safety can be improved by using a higher quality smart analog output transmitter, a better choice would be a transmitter that has been certified specifically for safety applications. However, specifically certified analog output transmitters still do not provide the best overall safety. As discussed in the earlier sections, their higher false alarm rate and limited ability to communicate status can only be solved using digital communications.

Figure 12 - Comparing Safety Solutions

Digital communications provides not only a safer overall solution but also higher availability and lower false alarm rates. By not requiring special transmitters, stocking costs are not increased and the full range of device options are available.

Lower cost, improved shutdown speed, reduced false alarm rate and the ability to utilize multivariable transmitters are just some of the other benefits obtained from digital communications. Figure 13 summarizes the key values of using digital communication in safety applications.

Figure 13 - Digital Output Safety Values

Summary

Increased diagnostic coverage in 4-20ma analog output field instruments is lost by its inability to communicate that information to the safety interlock device. Improving safety is a multi-step process that involves maximizing the information obtained from field devices. Overcoming the limitations of analog output sensors by selecting sensors with digital communications will increase the overall solution’s safety.

Integrating digitally communicating transmitters with analog input safety shutdown systems provides a level of process measurement validity that does not exist with all-analog solutions.

Safety engineers interested in providing the highest degree of overall plant safety are turning to digital communications as he best means to achieve that goal. Digital communications overcomes the many limitations of 4-20ma analog output field instruments and is rapidly becoming the next most significant mechanism to increasing overall plant safety.

Digital communications addresses the entire IEC-61508 "Safety Life Cycle" and is able to economically deliver the highest level of overall plant safety. The real value of digital communications will be seen when overall plant safety life cycle costs are reduced and new safety records achieved.

REFERENCES

[1] DOD, "Reliability Prediction of Electronic Equipment", Military Handbook MIL- HDBK-217E, United States Department of Defense.

[2] U.K. Health and Safety Executive (HSE) "Out Of Control" study, published 1995.

[3] IEC, "Functional Safety of Electrical / Electronic / Programmable Electronic Safety-Related Systems", IEC-61508 Draft Standard.

[4] ISA, "Application of Safety Instrumented Systems for the Process Industries", ISA Standard, ISA-S84.01, 1996.

[5] NAMUR: Normen Arbeitsgemeinschaft Meb Und Regeltechnik

[6] OSHA, "Management of Change", OSHA 29 CFR 1910.119 .

Steve is currently an Application Consultant with Honeywell's Measurement & Control Division. Steve is responsible for the integration of field instrumentation via Honeywell’s Digitally Enhanced Protocol, HART protocol and Foundation Fieldbus. He has been with Honeywell for over 16 years. His Honeywell experience includes the development of industrial recorders, transmitters, portable field configuration tools and control system digital integration. Steve holds a B.S.E.E. from Penn State University and a M.S.E.E from Drexel University with majors in numerical computing and digital signal processing. He also holds an Executive Management Degree from Ashridge College, England. Steve holds two U.S. patents relating to the Honeywell Digitally Enhanced integration communication protocol. Steve also served as Honeywell’s first ISA/SP50 Fieldbus representative.